Exchange Online Admin Console Part II - RBAC & Auditing

Role-Based Access Control 

Exchange Online uses a Role-Based Access Control (RBAC) model that allows organizations to finely control what users and administrators can do in the service. Using RBAC, administrators can delegate tasks to employees in the IT department as well as to non-IT employees.

Administrators can use the Exchange Control Panel to assign users to built-in roles and role groups. Alternatively, they can use Remote PowerShell to create custom RBAC roles.

The following role groups are available by default in Exchange Online:

Organization Management

View-Only Organization Management

Recipient Management

Unified Messaging Management

Help Desk

Records Management

Discovery Management

The Microsoft Online platform has an implementation of role-based permissions that is separate from Exchange Online RBAC. Users who are Global Administrators or Service Administrators in Microsoft Online are automatically assigned to the Organization Management role group in Exchange Online. Users who are Help Desk Administrators in Microsoft Online are automatically assigned to the Help Desk role group in Exchange Online. Otherwise, the two security models are managed separately.

User Roles

Assign users to manage his OWA settings. 

Auditing

Exchange Online provides two types of built-in auditing capabilities:

·         Administrator Audit Logging: Allows users to track changes made by their administrators in the Exchange Online environment, including changes to RBAC roles or Exchange policies and settings.

·         Mailbox Audit Logging: Allows users to track access to mailboxes by users other than the mailbox owner, including access by delegates and access to shared mailboxes.